I just published a new release of
Snuffleupagus,
the hardening module for php7+ and php8+,
version 0.13.0, codename "Elephas",
named after the genus of elephants.
There aren't any new flashing features, only bug fixes, PHP85 support,
minor improvements, and a security fix for
CVE-2026-22034!
Thanks to Thomas Chauchefoin for finding the vulnerability and producing a comprehensive write-up. While being assigned CVE is never fun, it's also a sign that people are interested in your software enough to spend the time to looks for bugs. Moreover, I guess it was a learning opportunity to be on the other side for once. As usual, the CVSS score (9.2/10) is bullshit by design as there is no way to properly account for the required conditions:
- Snuffleupagus'
upload_validationto be enabled, which isn't the default configuration. - To be manually configured to use
vld. - To have the
vldmodule unavailable.
Nevertheless, as PHP isn't erroring out on missing modules (!), whatever
update/change breaking vld might silently result in a catastrophic remote
code execution, so please do update. The fix is
dead-simple
and can easily be backported if that's your kink.
Changelog
- Compatibility with PHP8.5
- Add the possibility to log to a file
- Improve .drop() logging reliability when
set_error_handleris used - Improve simulation mode for
unserialize()when no HMAC key is provided - Fix a possible arbitrary code execution on misconfigured
upload_validationdeployments (CVE-2026-22034)
As usual, if you want to help, we have some low hanging fruits ♥
See you in your PHP stack!